Court Revives Heartland Card Breach Case

Roughly two years after initially losing, an appeals court breathed new life into 14 credit unions’ hopes to recover some of their losses from an enormous 2008 card data breach.

The victory came from a panel of the Fifth Circuit Court of Appeals in New Orleans, which ruled Sept. 3 that the plaintiffs have a negligence claim against Heartland Payment Systems.

The breach has been recognized as one of the largest ever, compromising information from more than 100 million U.S. consumers. Litigation was brought by banks and credit unions and then consolidated into one complaint heard by U.S. District Judge Lee Rosenthal in Southern Texas.

Plaintiff credit unions include the $130 million Matadors Community Credit Union of Chatsworth, Calif., the $1.8 billion GECU of El Paso, Texas; the $1.6 million MidFlorida Credit Union of Lakeland, Fla., and the $4.2 billion Pennsylvania State Employees Credit Union headquartered in Harrisburg, Penn.

The credit unions and banks that brought suit declined to participate in a settlement agreement Visa negotiated and sponsored.

Rosenthal ruled against the financial institutions in late 2011. The card issuers appealed, targeting the negligence and responsibility for losses.

In a 10-page opinion, the New Orleans-based Fifth Circuit Court of Appeals agreed, ordering the lower court to reexamine the case’s negligence claims saying Heartland had reason to foresee issuer banks would suffer economic losses if it acted negligently. It also said Heartland should only be exposed to a reasonable amount of loss recovery from a limited number of entities.

Heartland declined to comment on the decision and calls to other large credit union plaintiffs for comment were not returned.

But Greg Smith, CEO of plaintiff credit union PSECU, said his credit union was pleased with the decision, calling one more step in the effort to hold processors accountable, both for financial losses and loss of trust from credit union members.

Smith said the breach cost PSECU almost $300,000. Costs would have been higher had the credit union not closed card accounts and reissued cards quickly, he said.

Even though expiration dates had closed off the fraud threat from the cards which might have been compromised but not reported from the Heartland theft, Smith said the continuing market for stolen card data kept the fraud theft alive.

“As long as you can go to any number of websites and buy card numbers and data for a relatively low price, there is going to be a lingering risk of fraud,” he said.